Security Service Level Agreement (SLA)
1. Purpose
This document defines the security Service Level Agreements (SLAs), special termination rights, and audit rights applicable to customers using our Confluence Cloud applications. Our goal is to ensure transparency, compliance, and security in our services.
2. Scope
This policy applies to all customers, partners, and third-party vendors engaged with our Confluence Cloud applications.
3. Security Service Level Agreements (SLA)
3.1 System Availability
We commit to maintaining a 99.9% uptime for our Confluence Cloud applications, excluding scheduled maintenance. Downtime calculations are measured monthly and communicated to customers upon request.
3.2 Incident Response Time
We guarantee the following response times for security incidents based on severity:
Severity Level | Definition | Initial Response Time | Resolution Timeframe |
|---|---|---|---|
Critical | Data breach, active exploit, or service-wide outage | Within 1 hour | Continuous effort until resolved |
High | Vulnerability exposing sensitive data or impacting multiple users | Within 4 hours | Resolved within 24 hours |
Medium | Potential security risk without immediate exploitation | Within 12 hours | Resolved within 7 days |
Low | Minor security concerns or general inquiries | Within 24 hours | Resolved within 30 days |
3.3 Data Protection Measures
Encryption at rest and in transit using industry-standard protocols.
Regular security audits and penetration testing.
Strict access control policies with role-based permissions.
Compliance with GDPR, CCPA, and other relevant regulations.
4. Special Termination Rights
Customers have the right to terminate their contract without penalties under the following conditions:
A material security breach that remains unremediated for more than 30 days after written notice.
Failure to meet SLA commitments for three consecutive months.
Regulatory non-compliance that affects customer data security.
In the event of termination due to security concerns, we will:
Provide a complete data export upon request.
Ensure permanent deletion of customer data within 30 days of contract termination.
Offer transition assistance to minimize service disruption.
5. Audit Rights
Customers have the right to audit our security practices to ensure compliance with contractual obligations. Audit requests must adhere to the following:
5.1 Audit Request Process
Customers must provide 30 days’ notice for an audit request.
Audits must be conducted once per year unless a critical security issue necessitates additional reviews.
Audits must be performed by a mutually agreed-upon third-party auditor or the customer’s internal team.
5.2 Audit Scope
Review of security policies, incident response processes, and compliance measures.
Inspection of access control, encryption practices, and data protection measures.
Vulnerability assessment reports and penetration test summaries.
5.3 Confidentiality and Limitations
Auditors must sign a Non-Disclosure Agreement (NDA) before accessing security documentation.
Audits must not disrupt normal business operations.
Findings will be shared with both parties, and we will provide a remediation plan for any identified security gaps.
6. Continuous Improvement
We continuously refine our security practices, SLAs, and compliance measures based on industry standards, regulatory requirements, and audit findings.